<!-- Hi there, Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html. If your issue relates to a specific Terraform provider, please open it in the provider's own repository. The index of providers is at https://github.com/terraform-providers . --> ### Terraform Version <!--- Run `terraform -v` to show the version, and paste the result between the ``` marks below. If you are not running the latest version of Terraform, please try upgrading because your issue may have already been fixed. --> ``` 0.12.6 ``` (We are potentially able to upgrade to a newer version, but it isn't apparent from parsing the 0.12.7 and 0.12.8 changelogs that this issue has been resolved) ### Terraform Configuration Files <!-- Paste the relevant parts of your Terraform configuration between the ``` marks below. For large Terraform configs, please use a service like Dropbox and share a link to the ZIP file. For security, you can also encrypt the files using our GPG public key. --> ```hcl service/main.tf resource "kubernetes_deployment" "deployment" { spec { dynamic "volume" { for_each = var.secrets iterator = each content { name = "vol${replace(lower(each.value.path), "/", "-")}" mount_path = "${each.value.path}" } } volume { name = "some-config" config_map { name = "config-map-name" } } volume { name = "some-cert" secret { secret_name = "secret-name" } } } } service/variables.tf variable "secrets" { type = list(object{path = string, data = map(string)}) default = [] } main.tf module "service-a" { source = "./modules/service" ... secrets = [ { path = "/path/to/secret" data = {"key" : "value"} }, { path = "/path/to/other/secret" data = {"key" : "value"} }, ] } module "service-b" { source = "./modules/service" ... } ``` ### Expected Behavior When the static `volume` blocks are removed from `services/main.tf`, they should be removed in both `kubernetes_deployment.deployment` resources (`module.service-a.kubernetes_deployment.deployment` and `module.service-b.kubernetes_deployment.deployment`) ### Actual Behavior Only the `service-a` deployment is detecting that the static volumes have been removed. `service-b` continues to rely on them (which causes issues when the underlying resources that the volumes point to are removed and we try to roll out a new image). ### Steps to Reproduce 1. `terraform init` 2. `terraform apply` 3. Remove the static `volume` blocks from `services/main.tf` 4. `terraform plan` ### Additional Context In reality, we have 4 modules defined in the root-level `main.tf`; two of them have secrets, the other two do not (ergo, the first two are generating some data for the dynamic block while the latter are not). The two without secrets are refusing to acknowledge that the static volume blocks have been removed, while the two with secrets are correctly acknowledging that fact. There is also a dynamic `init-container` block (that we populate iff the service has a database dependency) in `service/main.tf` that has value for the two _without_ secrets; however, nothing in that block references the static `volume` blocks. ### References <!-- -->